this post was submitted on 14 Sep 2025
116 points (99.2% liked)
Privacy
2487 readers
670 users here now
Icon base by Lorc under CC BY 3.0 with modifications to add a gradient
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
https://faq.whatsapp.com/414631957536067/
Either the report function doesn't work like they say, or messages are stored decrypted, or they can decrypt messages at will based on a simple request from another user
Edit: fixed
I think I have to decrypt this url before I can open it
/edit: I did it! I was able to decrypt it!
https://faq.whatsapp.com/414631957536067/
This particular function is not at odds with E2EE. The client can either:
You're right, the messages would not be decrypted by the server but by the client making the report. Key rotation also shouldn't be an issue because it uses a ratcheting chain key. But if the non-malicious client is already set up to send decrypted messages to the server, this seems antithetical to the idea that WhatsApp can't read your conversations. There are clear caveats without even introducing the idea of a malicious client potentially exfiltrating decrypted messages elsewhere. Signal on the other hand receives the reported senders phone number and an encrypted message ID, presumably acting on spam reports by relying on multiple reports of the same message from the same sender, rather than by reading the message